54df213162ccbb081e13f8cb5bd84022f7e6587a68a04522da08f9fd56b8ef53

Analysis

max time kernel
85s
max time network
137s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
01-02-2024 04:02

Target

wexhfyjiflbfxbkpbmwi.exe
Size

10.1MB
MD5

5a3566fab9f55ddcf287aa96a60ad579
SHA1

247839d601b36bd2c0411241e4a89b28c6ff70da
SHA256

54df213162ccbb081e13f8cb5bd84022f7e6587a68a04522da08f9fd56b8ef53
SHA512

46f5b7e2524f29ca069da75a0a4c3958d2dada86c7bc7db814ed73a737e5906b6c6cb20cb113d5982975ed6443be0deac9c56338a7c2b5424cfd86232a52b807
SSDEEP

196608:VEzDgHsNFdc2k9dYnqFc9PzzGZnjurXuwLs4PCE4+HtrHpRpfxGjpeQN8:4RNFdav26pjujuwhaE4+HtJRppGsl

Score

10^/10

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1720 created 1000	1720	wexhfyjiflbfxbkpbmwi.exe	11

Deletes itself 1 IoCs

pid	Process
832	expand.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1720	wexhfyjiflbfxbkpbmwi.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1720	wexhfyjiflbfxbkpbmwi.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1720	wexhfyjiflbfxbkpbmwi.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	wexhfyjiflbfxbkpbmwi.exe
Token: SeBackupPrivilege	1720	wexhfyjiflbfxbkpbmwi.exe
Token: SeRestorePrivilege	1720	wexhfyjiflbfxbkpbmwi.exe
Token: SeTakeOwnershipPrivilege	1720	wexhfyjiflbfxbkpbmwi.exe
Token: SeDebugPrivilege	1720	wexhfyjiflbfxbkpbmwi.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 832	1720	wexhfyjiflbfxbkpbmwi.exe	78
PID 1720 wrote to memory of 832	1720	wexhfyjiflbfxbkpbmwi.exe	78
PID 1720 wrote to memory of 832	1720	wexhfyjiflbfxbkpbmwi.exe	78
PID 1720 wrote to memory of 832	1720	wexhfyjiflbfxbkpbmwi.exe	78
PID 1720 wrote to memory of 832	1720	wexhfyjiflbfxbkpbmwi.exe	78
PID 1720 wrote to memory of 832	1720	wexhfyjiflbfxbkpbmwi.exe	78

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1000
- C:\Windows\system32\expand.exe
  "C:\Windows\system32\expand.exe"
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  PID:832

memory/832-2-0x00000238CB7D0000-0x00000238CC9C0000-memory.dmp

Filesize
17.9MB

Download
memory/832-10-0x00000238CC9C0000-0x00000238CC9C1000-memory.dmp

Filesize
4KB

Download
memory/832-9-0x00000238CB7D0000-0x00000238CC9C0000-memory.dmp

Filesize
17.9MB

Download
memory/832-11-0x00000238CB7D0000-0x00000238CC9C0000-memory.dmp

Filesize
17.9MB

Download
memory/832-12-0x00000238CB7D0000-0x00000238CC9C0000-memory.dmp

Filesize
17.9MB

Download
memory/1720-0-0x0000000000D40000-0x00000000020E6000-memory.dmp

Filesize
19.6MB

Download
memory/1720-1-0x000001D0B0620000-0x000001D0B0621000-memory.dmp

Filesize
4KB

Download